Business Journal Ask the Expert Column – December 2018
It’s hard to believe that I’ve served as the St. Louis Business Journal’s Cyber Security Expert for an entire year . . . and I’m happy to announce I’ll be back for 2019. Most of you know this is a paid column, so technically you could say this is an ad or advertorial, but my goal in writing this column has little to do with sales. Instead, I hope to dispel misinformation in the marketplace and to provide the business community with accurate, reliable and actionable information to help improve the state of cyber security for all of us.
To all of you who have sent me great questions or stopped me on the street to say how much this column has helped you, I can only say “thank you for reading.” I’m glad I’ve been of help. With that thought in mind, I recently gathered some great questions that will be perfect for starting your 2019 on a safer cyber security path.
Q: We’re planning M&A activities in early 2019. How should cyber security be addressed when bringing together companies?
A: Before doing anything, understand that the cyber security issues involving these new partners will soon be your responsibility. And that’s almost never good. If the companies have incurred a breach, it’s now your problem to fix and your financial responsibility. You could be fined, face court actions, and potentially find yourself on the hook for millions of dollars in damages and losses if you don’t do your homework and do it well.
First and foremost, I would recommend conducting a cyber security assessment and audit. These processes are critical in determining if the company you’re considering is currently breached, exhibits vulnerabilities or has been breached in the past. Learning of past or current compromises should significantly reduce your investment cost and possibly minimize your liability if negotiated into any M&A agreements.
You wouldn’t buy a home without a thorough inspection. The same should hold true for a potential M&A target, particularly when a breach could damage your systems, networks and possibly compromise IP and trade secrets. Also, be sure to examine possible internal threats posed by new personnel—that’s a subject I will explore later in this article.
Q: What can we do to defend against ransomware in the coming year?
A: Criminals are becoming more sophisticated every day, when it comes to ransomware attacks. Sadly, no business is too large nor too small to avoid being a ransomware target. We recommend working with a third-party vendor to create advanced barriers to outside intruders by eliminating vulnerabilities and keeping your defenses strong and uncompromised. You’ll also need to vet and audit your internal personnel and vendors to make sure they aren’t selling off your most valuable assets behind your back or working to help a malicious threat gain entry into your network. You should also set up a multi-layered backup system, with at least one backup that is isolated offsite, to handle only your critical asset backups.
Once you secure the systems side of ransomware, you need to do some planning. Set up ransomware attack protocols and practice using them during real world simulations of how you would handle an attack. Bring in an outside company to legally breach your system, then figure out how to crush the threat the moment it is discovered. These exercises are invaluable.
Q: What do you see as the greatest cyber security threat we will face in 2019?
A: The greatest challenge for all organizations as we move into 2019 will most likely come from disgruntled insiders, employees who feel wronged and are seeking revenge, or from malicious insiders, who infiltrate businesses with the intent of defrauding or doing harm. According to an article on Darkreading.com, malicious insiders alone are already responsible for 27 percent of all cybercrime.
As disheartening as it sounds, you may need to install software and systems that monitor employee cyber behaviors for high-risk exposures and even internal hacking. If you don’t have the budget for these tools, creating deterrence and detection programs, backed by sound policies and protocols (and executing them with a religious fervor) can be highly effective, particularly for smaller organizations.
Remember, when dealing with cyber threats, nothing you can do will make you absolutely bulletproof. But looking forward, you need to do more than plan for today and tomorrow. You need to always address possible issues 6-months, a year and multiple years ahead. It’s the only true way to provide maximum protection of your assets in a world where your adversaries could be hiding on the other side of the globe.
Stay safe and here’s to a productive 2019!